How to Develop an Effective IAM Strategy
The Importance of IAM Strategy
Whereas data encryption serves as the last line of defence against intruders, identity and access management (IAM) lies at the forefront, acting as the front gate to an organization’s internal systems. An IAM strategy, broadly speaking, refers to a set of policies and practices an organization uses to ensure that the right users have access to the right resources.
Compared to other intrusion paths that bypass authentication by exploiting system and web vulnerabilities, targeting weaknesses in mismanaged IAM allows attackers to gain “legitimate” access to a network without leaving traces. Therefore, attacks on IAM are much more difficult to detect, giving attackers plenty of time in the network to deploy malware and retrieve data.
As a result, many large-scale data breaches and ransomware attacks start off with a simple phishing email or brute force attack. To prevent these attacks, organizations must establish and maintain a robust IAM strategy that is strictly followed across the board.
It isn’t just about setting up sophisticated login credentials or multi-factor authentication (MFA). Although those are important parts of a successful IAM strategy, there are many other aspects that an organization must consider.
Here are some practices every IT manager should consider for their IAM strategy.
Adopt an Authentication System
Instead of relying on native authentication built into each application service, organizations should adopt an authentication system to enable the implementation of additional authentication factors via mobile OTP or biometric identification. An authentication system — often referred to as an MFA system — is a system software that intercepts the account login process by adding a second layer of identity verification, processed through its own server independent from the application server.
The authentication server verifies the MFA credentials to its database and grants users access based on its identity verification and access control policies, then communicates the authentication result back to the application service.
iSIGN+ is one of the first appliance-type authentication systems in the market, capable of implementing single sign-on (SSO) authentication. Once a user is authenticated for an application service, iSIGN+ communicates this information to all application servers connected to the SSO server, so that the user can access all services they are authorized to without going through additional login processes. Compliant with FIDO2, iSIGN+ is a certified encryption module by the National Intelligence Service (NIS) of Korea.
Secure Mobile Access
With a record number of employees working off-site, work is not only becoming more remote but also more mobile, with a lot of users accessing their work accounts via personal mobile devices. It is now common practice for employees to hold virtual meetings and check in their accounts on their smartphones. Yet, many organizations remain unprepared for these changes and do not incorporate mobile access into their IAM strategy.
For instance, the authentication policy adopted by most organizations only verifies the user’s credentials and not the device. Since an organization has no control over potential vulnerabilities on personal devices, setting access restrictions for personal devices might be necessary depending on the nature of the workloads.
Establish a Deprovisioning Policy
Every year, employees come and leave an organization. Most organizations have a streamlined onboarding process that helps onboarding employees set up accounts and receive access to the necessary workloads. However, many organizations do not have a clear manual for offboarding employees. Many former employees remain able to access their work account months after leaving the organization. Regardless of how secure an authentication system is, if outsiders are identified as legitimate users on the network, a huge security gap is left open. As such, organizations must establish a clear deprovisioning manual to keep workloads safe.
Strictly Limit External Access
As digital infrastructure becomes increasingly sophisticated, many organizations work with software vendors and managed service providers (MSP) to offer more comprehensive services and solutions to their customers. During this process, it is usually unavoidable for organizations to grant these third-party vendors access to the relevant workloads. This exposes these organizations to the risk of software supply chain compromise, where attackers travel through the supply chain into the network after compromising a software supplier or partner.
Similar to the case with former employees, a set of policies should be created to strictly limit these third-party vendors’ access to an absolute minimum, and never grant administrative access to outsiders.
On a final note, every organization should establish a well-rounded IAM strategy based on the nature of their business, the system architecture, and the sensitivity level of the workloads. For SMEs that do not have the capability to do so, adopting an IAM solution is recommended. For detailed inquiries, contact Penta Security’s security consulting team.
For more information on security implementation, check out Penta Security’s product lines:
Web Application Firewall: WAPPLES
Database Encryption: D’Amo
Identity and Access Management: iSIGN+
Automotive, Energy, Industrial, and Urban Solutions: Penta IoT Security